Privacy Policy.
1. Who we are
EXIT CODE is a trading discipline tool registered as an Australian business under ABN 45 984 876 899. References to "we", "us", "our", or "EXIT CODE" mean the legal entity behind the EXIT CODE business name, identifiable via the ABN lookup at abr.business.gov.au.
We are not a broker. We do not execute trades. We do not provide financial advice. See our Terms of Service for the full description of what EXIT CODE does and does not do.
For legal correspondence, court process, or regulatory inquiries requiring the full registered legal entity name, contact info@exitcode.trade with the basis of the request. The underlying corporate trustee and trust structure are disclosed via the ABN lookup link above and are also available on direct request.
2. What information we collect
Information you provide directly
- Email address. When you join the waitlist, register for an account, or purchase a product.
- Payment information. Processed by Stripe; we never see or store your full card details.
- The Baseline submissions. When you take the pre-session check at /the-baseline/: sleep, stress, energy, external-pressure flags, motive, your committed max-trades and R-floor, and the resulting verdict. Stored against an anonymous token (see below), not your email.
- The Delay submissions. When you take the mid-session check at /the-delay/: body-state flags, motive, override-pressure indicators, and the resulting verdict. Stored against the same anonymous token.
- Trade log data. When you log a closed trade at /trade-close/ or in the workstation: R-multiple, exit price, and session-state mutations. Stored against your anonymous token (see below), not your email.
- Discord account link (optional). If you link your Discord account to your EXIT CODE subscription (to receive the appropriate role for your tier: `@pro-agent`, `@pro-bundle`, `@lifetime-holder`, or `@founder`), we store the mapping between your Stripe customer ID and your Discord user ID. This mapping is used to (a) grant your tier's roles automatically on purchase, (b) revoke paid roles on cancellation. No Discord message content is ever read, stored, or transmitted by EXIT CODE; the integration is role-grant only, not chat-read. Linking is initiated by you via Discord's standard OAuth flow; revoking is automatic on subscription end. To remove the link entirely, email
info@exitcode.tradewith your customer ID.
The anonymous token system
The Baseline, The Delay, and your personal Audit Dashboard use an opaque 16-character token generated locally in your browser on first visit. The token is stored in your browser's localStorage and passed as a query parameter in submissions. The token is not linked to your email, your real name, or your purchase identity; anyone holding the token URL can read its data, and only its data. If you clear your browser's localStorage, switch devices, or use a different browser, you start with a new token and begin a new submission history. The token IS the auth for the personal dashboard.
Information collected automatically
- IP address (hashed). All Baseline / Delay / Community / Waitlist submissions store an irreversible SHA-256 hash (first 12 hex characters) of your IP address, not the raw IP. Used for abuse detection and de-duplication. The raw IP is observed only in transit; we do not log it.
- Browser User-Agent string (truncated to 64 characters). Used for diagnostic purposes only.
- Page views on exitcode.trade. If we deploy analytics, only privacy-first tools (e.g. Plausible, Cloudflare Web Analytics); we do not use Google Analytics or any tool that fingerprints visitors.
- Email open + click events from emails sent via Brevo (our email-delivery provider).
Information we do NOT collect
- Your real name (unless you give it to us voluntarily)
- Your broker password or platform credentials. When you connect your own cTrader account, you authorise it through cTrader's own OAuth consent screen. EXIT CODE receives a revocable access token, never your password, and you can revoke it at any time.
- Your actual trade outcomes / dollar P&L (we capture gate decisions and behavioural patterns, not financial results)
- Sensitive personal information (race, religion, health diagnoses, etc.): the body-state flags in The Delay are coarse-grained somatic indicators, not health records, and are stored against an anonymous token only
- Your raw IP address (only an irreversible hash, as above)
3. How we use your information
- To deliver the product (grant TradingView access, send waitlist updates, process payments)
- To improve the product (anonymous aggregate analytics on which gates fire most often, etc.)
- To respond to support requests
- To meet legal obligations (Australian Privacy Act 1988, GDPR for EU customers, CCPA for California customers)
4. Who we share your information with
We share data only with the third-party services we depend on to operate the business:
- Stripe: payment processing. Stripe stores card data; we never see or store your full card number. Stripe's privacy policy at stripe.com/au/privacy.
- Brevo (formerly Sendinblue): email delivery for waitlist nurture, welcome emails, and broadcasts. Brevo stores your email address and engagement metrics. Privacy: brevo.com/legal/privacypolicy.
- Cloudflare: application hosting (Cloudflare Pages), data storage (Cloudflare KV), audio + video delivery (R2 and Stream). Cloudflare processes traffic to deliver pages and stores your submission data in encrypted KV namespaces in their global edge network. Privacy: cloudflare.com/privacypolicy.
- Discord (if you opt into the community channel): Discord stores your message content, profile, and any role assignments. Privacy: discord.com/privacy.
- TradingView: charting widget embedded on the workstation (their charting library loads in your browser for price display; we do not send TradingView your personal data). Privacy: tradingview.com/policies.
- ElevenLabs: text-to-speech audio rendering for the methodology course. ElevenLabs processes script text only; no personal customer data is sent. Privacy: elevenlabs.io/privacy.
- Kit (formerly ConvertKit): email list management and course-access automation. Kit stores your email address and the tags that record which lessons and tier you have access to. Privacy: kit.com/privacy.
- Anthropic: powers the in-app help assistant (Operator Zero). If you type a question into the help widget, that message is sent to Anthropic's API to generate the reply. Please do not enter sensitive personal information into the help widget. Privacy: anthropic.com/legal/privacy.
We do not sell your data. We do not share it for advertising purposes. We do not run any tracking pixel from third parties on the site.
5. Data retention
- Waitlist email: retained until you unsubscribe via the link in any email, or contact info@exitcode.trade to request deletion.
- Stripe customer + subscription data: retained per Stripe's policy and Australian tax-record requirements (5 years for ATO compliance), then deleted on the next scheduled purge.
- The Baseline + The Delay submissions: retained against the anonymous token for 12 months by default. If you submit them at all, the data is yours; request deletion at any time by emailing info@exitcode.trade with your token, and we delete all records matching that token within 7 business days.
- Community weekly submissions: retained for the duration of the member program plus 24 months for longitudinal pattern analysis. Anonymised aggregate data may be retained indefinitely for research / case-study material; individual submissions can be deleted on participant request.
- Pro Bundle course-access data (login sessions, last-watched lesson): retained while your access is active, then deleted 30 days after access is revoked or refunded.
6. Your rights
- Access. Request a copy of your data.
- Correction. Update inaccurate data.
- Deletion. Request permanent deletion ("right to be forgotten").
- Portability. Export your trade journal data in JSON format.
- Objection. Opt out of any non-essential processing.
To exercise any of these rights, email info@exitcode.trade.
7. Security
We use industry-standard encryption (TLS 1.3 in transit, AES-256 at rest). Payment data never touches our servers; Stripe handles all card processing. We do not store passwords: you sign in with a one-time login link sent to your email, and access to the workstation is granted by a private token, not a password you set.
We have no realistic way to be more secure than the underlying providers we use (Cloudflare, Stripe, and Brevo). If you are concerned about a specific threat model, contact us before subscribing.
8. International transfers
If you are in the EU, UK, or California, your data may be transferred to and processed in Australia or the United States (via our US-based service providers). We rely on Standard Contractual Clauses (EU) and equivalent transfer mechanisms.
9. Children
EXIT CODE is not for users under 18. We do not knowingly collect data from children.
10. Changes to this policy
If we make material changes, we will email registered users with at least 30 days' notice before the change takes effect.
11. Contact
Privacy concerns: info@exitcode.trade
Australian Privacy Commissioner (if you wish to complain): oaic.gov.au